Privacy Policy
Habsy Inc. – Privacy Policy
Habsy Inc. (“Habsy,” “we,” “us,” “our”) provides habsy.ai, an AI-powered intelligent business card manager that helps professionals capture, organize, and enrich contacts using artificial intelligence, machine learning, and computer vision. We are committed to protecting the privacy and security of personal information processed through our services.
This Privacy Policy explains what personal information we collect, how we use it, how we share it, how we protect it, and what choices and rights you have when you:
● Visit our website (https://habsy.ai/)
● Use the Habsy Business Card Manager mobile or desktop app (“App”)
● Access related tools, APIs, or web interfaces
● Interact with our sales, support, or marketing teams
Together, these are referred to as the “Service.”
By installing the App, creating an account, or using the Service, you acknowledge that you have read and understood this Privacy Policy and, where required by law, consent to our processing of your personal information as described here. If you do not agree, please do not install the App, create an account, or use the Service.
Last Updated: May 14, 2026
1. Who We Are
Habsy Inc. (“Habsy,” “we,” “us,” “our”) provides habsy.ai, an AI-powered intelligent business card manager that helps professionals capture, organize, enrich, and act on contacts using artificial intelligence, machine learning, and computer vision. We are committed to protecting the privacy and security of personal information processed through our services.
This Privacy Policy explains what personal information we collect, how we use it, how we share it, how we protect it, and what choices and rights you have when you visit our website (https://habsy.ai/), use the Habsy mobile or desktop application (the “App”) available on the Apple App Store and Google Play, access related tools, APIs, or web interfaces, or interact with our sales, support, or marketing teams. Together, these are referred to as the “Service.”
Habsy Inc. is incorporated in Canada with its registered office at 300–181 University Ave, Toronto, ON M5H 3M7, Canada, and operates with development and engineering support through Habsy Technologies Private Limited in Bangalore and Coimbatore, India.
Habsy acts as a controller (or “organization”) for personal information we collect directly from users and website visitors, and as a processor (or “service provider”) when we process personal information on behalf of a customer or account holder. Where we act as a processor, our processing is governed by the applicable contract and any Data Processing Addendum (DPA).
By installing the App, creating an account, or using the Service, you acknowledge that you have read and understood this Privacy Policy and, where required by law, consent to our processing of your personal information as described here.
habsy.ai is a cloud-based SaaS platform that securely processes and manages professional contact information for individual users and enterprise customers.
2.1 Business Card Capture, Event Lead Capture, and Digitization
• AI-powered mobile scanning for fast business card capture, including batch scanning of multiple cards at once (up to 150 cards in five minutes).
• Advanced OCR to extract key details (name, title, company, phone, email, address, social profiles, website) with real-time accuracy and an interface for manual verification.
• Event badge scanning (supports VCF and text-based badges), QR code scanning for instant digital business card sharing, and manual contact entry.
• Event lead capture with geo-tagging to associate contacts with specific events, venues, and locations (when location permission is enabled).
• Audio notes and voice capture to add context or reminders to contacts.
• Digital business card creation and sharing for contactless professional exchanges.
2.2 Person Enrichment Engine
• Publicly available professional information (where permitted by law and source) may be collected to provide additional context about contacts, including public profile extraction, AI-generated professional bios, career history mapping, decision-maker identification, and professional insights.
2.3 Company Enrichment Intelligence
• Publicly available company information (including web presence, social channels, press mentions, and milestones) may be collected to enrich company profiles, including company overview, mission, organizational hierarchy, industry classification, office locations, and public contact details.
2.4 Contact Management and Organization
• Advanced tagging, segmentation, custom fields, multi-device synchronization (iOS, Android, web), offline access, contact notes, voice notes, reminders, follow-up scheduling, multi-language support, and user data export and deletion capabilities.
2.5 Relationship and Networking Feature
• Follow-up reminders and scheduling, contact segmentation and filtering, smart outreach generation (WhatsApp, LinkedIn, email drafts), and contact export in standard formats (CSV, VCF).
2.6 Platform Integration and Portability
Integration-ready architecture for CRM and productivity tools (including Salesforce, HubSpot, and Zoho), data export in standard formats, and APIs and webhooks for enterprise workflows.
Habsy operates an Information Security Management System (ISMS) designed to align with leading security and privacy frameworks, including:
• SOC 2 Type II (AICPA Trust Services Criteria — Security, Availability, Confidentiality, Privacy)
• ISO/IEC 27001:2022 (International Standard for Information Security Management)
• PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act)
• GDPR and UK GDPR (EU/EEA and United Kingdom General Data Protection Regulation)
• CCPA/CPRA (California Consumer Privacy Act, as amended by the California Privacy Rights Act)
• DPDPA (India’s Digital Personal Data Protection Act, 2023)
We use secure, industry-standard cloud infrastructure and follow best practices in access control and identity management, encryption of data in transit and at rest, network and application security, logging, monitoring, and incident response, vendor risk management, and regular security reviews with continuous compliance monitoring.
We do not publish detailed internal infrastructure or vendor lists publicly for security reasons. Enterprise customers and prospects can request detailed security and compliance information under NDA by contacting privacy@habsy.ai.
Below are the categories of personal information we collect, along with the purposes and legal bases for each.
4.1 Account and Profile Information
Data Collected: Full name; email address; encrypted password (if not using SSO); organization name; profile photo (if uploaded); account preferences (language, time zone, feature settings).
Purpose: Account creation, login, identity verification, profile setup, service delivery, security notifications, and account recovery.
Legal Basis: Contract performance.
4.2 Business Card Content and Contact Information
Data Collected: Contact names; job titles; company names; phone numbers; email addresses; physical addresses; websites and social media links; QR codes and event badges; scanned business card images; contact profile photos; manual contact entries; custom labels/tags; notes, reminders, and voice memos.
Purpose: Core business card digitization and OCR extraction, contact storage and syncing, relationship tracking, reminders, voice memos, offline access, and user-initiated sharing/export.
Legal Basis: Contract performance (core functions); consent for voice memos/audio capture where required.
4.3 Enriched Person Data (AI-Generated)
Data Collected: Public professional profile data; AI-generated professional summaries and bios; career history (titles, companies, tenure); educational background (if publicly available); professional skills and role information; public social media presence.
Purpose: Contact enrichment, networking context, decision-maker identification, and business intelligence.
Legal Basis: Legitimate interests (providing useful context from publicly available data).
4.4 Enriched Company Data (AI-Generated)
Data Collected: Company name and description; industry classification and estimated size; office locations and public contact details; mission, vision, products/services; organizational structure and leadership; notable public information (press, milestones).
Purpose: Company intelligence and organizational context to support networking and sales insights.
Legal Basis: Legitimate interests (using publicly available data).
4.5 Device and Technical Data
Data Collected: IP address; device identifiers; device type/model, OS version, browser type; app version, screen resolution, locale/language settings; pages or screens visited, features used, time spent, navigation patterns; button clicks, search queries, export/sharing activity; approximate geolocation (when enabled).
Purpose: App functionality and compatibility, security and fraud monitoring, abuse prevention, session management, analytics, performance/error detection, personalization, and optional location-based features.
Legal Basis: Contract performance; legitimate interests (security and service improvement); consent (for location data and analytics in specific jurisdictions).
4.6 Device Permissions (With Consent)
We request the following device permissions, each revocable via your device settings at any time:
• Notifications — reminders, follow-up prompts, and essential service or security notifications.
• Camera — card, badge, and QR code scanning.
• Photo/Media Library — importing card images.
• Contacts — importing or exporting contacts.
• Microphone — voice notes and audio capture.
• Location — optional contextual/location-based features.
Legal Basis: Explicit consent (granular, per permission; revocable via device settings).
4.7 Communication and Interaction Data
Data Collected: Support emails and tickets; in-app support messages; feedback and feature requests; bug reports; email open/click rates; marketing email engagement; newsletter preferences and opt-in/opt-out history.
Purpose: Customer support and troubleshooting, service improvement, incident investigation, marketing communications (when opted-in), and measuring communication effectiveness.
Legal Basis: Contract performance; legitimate interests (support and improvement); consent (for marketing where required).
4.8 Transaction and Subscription Data
Data Collected: Subscription plan details; billing address; invoices and transaction IDs; subscription status, renewal and cancellation dates.
Purpose: Billing and subscription management, payment processing, invoicing, renewal management, refunds, fraud prevention, and financial/tax compliance reporting.
Legal Basis: Contract performance; legal obligations (financial record-keeping); legitimate interests (fraud prevention).
We do not directly collect or store full payment card details. Payments are processed via PCI-DSS–compliant third-party processors (e.g., Stripe). These providers handle card information on their systems and share only limited metadata with us for payment confirmation, invoicing, and subscription management.
4.9 Integration and API Data
Data Collected: Integration configuration details and authorization scopes; API tokens/keys (stored securely and encrypted); records of exported contacts to connected systems; webhook URLs and API usage logs.
Purpose: Enable CRM integrations, API-based workflows, webhooks, and data portability.
Legal Basis: Contract performance; consent (at the time of authorizing each integration).
4.10 Diagnostic, Security, and Audit Data
Data Collected: Error and crash logs; performance metrics; security event logs (logins, access changes, permission updates); API request logs and session IDs; MFA records and failed login attempts; suspicious activity alerts.
Purpose: Security and threat monitoring, incident response, fraud detection, vulnerability management, uptime monitoring, performance optimization, debugging, compliance auditing.
Legal Basis: Legitimate interests (security and reliability); legal obligations; contract performance.
4.11 Cookies and Tracking Technologies
We use cookies and similar tracking technologies for session management and authentication, remembering preferences, analytics and product improvement, and measuring marketing performance. Where required by law (e.g., in the EU/UK), we present a cookie banner to obtain consent for non-essential cookies. You can manage preferences via our cookie controls or your browser settings.
Legal Basis: Contract performance (essential cookies); legitimate interests (improvement and security); consent (analytics/marketing cookies where required).
4.12 Data We Do Not Intentionally Collect
We do not intentionally collect or require: full credit card numbers or CVV codes, government-issued ID numbers (SIN, SSN, passport), medical or health information, biometric identifiers, data about children (individuals under 18), or precise background geolocation tracking without explicit opt-in. If you believe you have accidentally provided such information, please contact privacy@habsy.ai so we can delete or anonymize it.
We process personal information to provide and operate the habsy.ai Service; enable AI-powered OCR and enrichment features; secure and protect user accounts and our platform; support and communicate with you; improve and innovate our product; and meet legal, regulatory, and contractual obligations.
We do not use your business card or contact data to build advertising profiles for third parties, and we do not sell personal information. We do not share personal information for cross-context behavioral advertising. We will not use your data for materially different purposes without explaining the new purpose and, where required, obtaining your consent.
We use artificial intelligence, machine learning, and computer vision technologies to recognize and extract text from business card images and event badges; normalize and structure contact and company information; enrich contacts with publicly available data; and generate summaries and contextual information to help you understand and prioritize relationships.
We design these systems with privacy and security controls. As disclosed on our AI Transparency page (habsy.ai/ai-transparency), we use third-party AI services, including OpenAI, for assistance features such as drafting, summarization, content improvement, and email template generation. AI-generated outputs are presented as suggestions for you to review, modify, or discard before use. We do not use your private business card data to train third-party models in any way that would expose your data to other customers. Customer input data, and its association with specific enrichment results, are treated as confidential.
AI-generated and enriched information may occasionally be incomplete, outdated, or inaccurate. These features are intended to assist you and should be used in combination with your own judgment.
We do not sell your personal information. We share personal data only in the following limited circumstances.
Service Providers.
We engage carefully vetted third-party service providers to help operate the Service (cloud hosting, analytics, payment processing, email delivery, customer support, and compliance services). All providers are bound by confidentiality and data protection obligations and may only process personal information on our instructions. Enterprise customers may request a detailed subprocessor list under NDA by contacting privacy@habsy.ai.
AI and LLM Providers.
Portions of the data we process may be sent to third-party AI and LLM providers for OCR, classification, extraction, and enrichment purposes. We select providers that offer appropriate data protection commitments and, where available, use configurations that prevent our data from being used to train their general-purpose models.
Legal, Security, and Protection of Rights.
We may disclose personal information to comply with applicable laws, regulations, or legal processes; respond to lawful requests from public authorities; enforce our agreements and terms; protect the rights, property, or safety of Habsy Inc., our users, or others; and detect, investigate, or prevent fraud, security incidents, or abuse.
Business Transfers
In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of the transaction, subject to customary confidentiality commitments and continued protection consistent with this Privacy Policy.
We operate on secure cloud infrastructure and may process personal information in multiple regions to ensure performance and reliability. When personal data is transferred across borders, we implement appropriate safeguards—such as the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum—and apply encryption to protect the data and comply with applicable laws. For transfers of personal information originating in Canada, we ensure that contractual or other measures provide a comparable level of protection as required under PIPEDA. Copies of relevant safeguards are available on request.
9. Security Measures
We apply organizational, technical, and physical safeguards to protect personal information, including:
• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access Controls: Role-based access control (RBAC) with least privilege; multi-factor authentication (MFA) for all internal systems handling personal information; regular access reviews and rapid revocation on role change or departure.
• Monitoring: Security event logging, continuous monitoring with alerting for suspicious activities, and comprehensive audit trails.
• Incident Response: Documented incident response plan covering detection, containment, investigation, notification (including GDPR’s 72-hour breach notification and PIPEDA’s “as soon as feasible” requirement), and post-incident review.
• Privacy by Design: Data Protection Impact Assessments (DPIAs) conducted when required; data minimization practices throughout the development lifecycle.
• Training: Regular privacy and security training for all staff, with enhanced training for engineering and operations teams.
We align our security program with SOC 2 Type II and ISO/IEC 27001:2022 standards. While no system can be guaranteed 100% secure, we continuously monitor and strengthen our security posture.
• Account and profile data: Retained while your account is active and for a reasonable period after closure, unless a longer period is required by law.
• Business card images and contact data: Retained until you delete them or close your account. After deletion or account closure, data is removed or de-identified in accordance with our retention and backup policies.
• Security and diagnostic logs: Retained for approximately ninety (90) days, or as required by law, then deleted or aggregated.
• Backups: Retained per our backup and disaster recovery policies and not used for day-to-day processing except for recovery purposes.
We may retain aggregated or de-identified information (which cannot reasonably be linked back to an individual) indefinitely for analytics, research, or product improvement purposes.
11. Your Rights and Choices
Your privacy rights depend on your jurisdiction, but we aim to respect core privacy rights for all users.
11.1 Access, Correction, Deletion, Restriction
You may have the right to access the personal information we hold about you; correct inaccurate or incomplete information; delete personal information (subject to legal or contractual obligations); and restrict or object to certain processing activities (for example, opting out of enrichment processing).
11.2 Data Portability
You may request a copy of your data in a machine-readable format (CSV, VCF, JSON) and, where technically feasible, have us transfer it to another service.
11.3 Marketing Communications
You can opt out of marketing emails at any time by clicking the “unsubscribe” link or by contacting us. We will still send essential transactional and security communications.
11.4 Canadian Residents (PIPEDA)
If you are located in Canada, you have rights under PIPEDA, including the right to access the personal information we hold about you, the right to challenge the accuracy and completeness of your information and have it amended as appropriate, the right to withdraw consent to our collection, use, or disclosure of your personal information (subject to legal or contractual restrictions), and the right to file a complaint with the Office of the Privacy Commissioner of Canada.
11.5 EU/UK Residents (GDPR/UK GDPR)
If you are located in the EEA, UK, or Switzerland, you have rights to access, rectification, erasure, restriction, objection, and data portability. You also have the right to lodge a complaint with your local Data Protection Authority. Where our processing is based on legitimate interests, you have the right to object, and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.
11.6 California Residents (CCPA/CPRA)
If you are a California resident, you have rights to know what personal information we collect, use, disclose, and share; the right to delete your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (Habsy does not sell personal information, and does not share it for cross-context behavioral advertising); the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising your privacy rights. You may designate an authorized agent to make a request on your behalf, subject to verification.
11.7 India Residents (DPDPA)
If you are located in India, you have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correction, and erasure of your personal data, the right to grievance redressal, and the right to nominate another person to exercise your rights in the event of your death or incapacity. You may also file a complaint with the Data Protection Board of India.
11.8 How to Exercise Your Rights
To exercise any of your rights, contact us at privacy@habsy.ai with the subject line “Privacy Request — [Access/Deletion/Correction/Portability/Objection].” We may need to verify your identity for security purposes and will respond within the timeframes required by applicable law, generally within thirty (30) days.
The Service is intended for business and professional use and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided personal information to us, please contact privacy@habsy.ai and we will take steps to delete such information.
By installing the Habsy App, creating an account, or continuing to use the Service, you acknowledge and (where applicable) consent to the collection and use of your personal information as described in this Privacy Policy; the use of AI, OCR, and enrichment technologies to digitize business cards and enrich profiles using publicly available data; the use of device permissions as requested by your operating system; the use of secure cloud infrastructure and international data transfers with appropriate safeguards; the use of cookies and analytics as described herein; the receipt of essential communications and optional marketing communications (with the ability to opt out); and the processing of third-party personal information that you provide to us, on the understanding that you have the necessary authorization or lawful basis to do so.
Withdrawing Consent.
Where we rely on your consent, you may withdraw it at any time by updating your preferences in the App, using the “unsubscribe” link in any marketing email, changing your device settings to revoke permissions, or contacting privacy@habsy.ai. Withdrawal of consent for essential processing may limit our ability to provide certain features of the Service.
Our website and App may contain links or integrations to third-party websites, applications, and services (e.g., CRM systems, event platforms, public professional profile sites). This Privacy Policy does not apply to information collected by those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you connect with through Habsy.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technologies, legal obligations, or business practices. When we make material changes, we will update the “Last Updated” date at the top of this policy and, where appropriate, provide additional notice (via email, in-app alert, or website notice), and obtain consent if required by law.
16. Governance, Risk, and Compliance Program
Habsy has implemented a formal Governance, Risk, and Compliance (GRC) program designed to align our internal security and privacy controls with globally recognized standards. We work with a leading GRC and compliance automation provider to support continuous compliance, evidence collection, and audit readiness.
Core Privacy and Security Principles.
• Customer Ownership: You remain the owner of the data you upload to habsy.ai. We process your data only to provide the Service and do not claim ownership of your contacts or content.
• Transparency: We explain what we collect, why, and how we use and protect it.
• Security First: Personal information is protected using industry-standard encryption, access controls, and monitoring.
• Minimal Collection: We collect only data necessary to operate and improve the Service and meet legal obligations.
• User Control: You have meaningful control over your data, including the ability to access, correct, delete, export, or opt out of certain processing.
Our compliance program and certification efforts do not limit your rights under this Privacy Policy or applicable law. For questions about our compliance program, contact privacy@habsy.ai.
Current Status (April 2026).
• SOC 2 Type II: Controls internally implemented; evidence collection and observation period underway. Independent audit targeted for H2 2026.
• ISO/IEC 27001:2022: ISMS fully implemented and operating; pre-audit preparation in progress. Certification targeted for H2 2026.
• GDPR: Compliance framework implemented (lawful bases, data subject rights processes, DPIAs, security measures). External verification in progress.
• PIPEDA: Aligned with all ten PIPEDA Fair Information Principles. Third-party personal information access control procedures documented and operational. Breach notification framework documented.
• CCPA/CPRA: Consumer rights (access, deletion, correction, opt-out, portability) implemented. Opt-out mechanisms and preference settings operational.
• DPDPA: Implementation in progress. Compliance monitoring and grievance redressal framework under development.
Evidence and Validation.
To support customer due diligence, we can provide compliance documentation including engagement letters from our GRC automation partner, policy and control summaries, and templates for key compliance documents (DPA, SCCs). Some materials may be provided under NDA. To request documentation, contact privacy@habsy.ai with the subject line “Request: Compliance Documentation.”
Trust and Security Page.
We are developing a dedicated Trust and Security page at habsy.ai/trust. Until that page is live, this Privacy Policy and documentation provided directly serve as the primary sources of information about our security and compliance program.
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Habsy Inc. — Privacy Team
Email: privacy@habsy.ai
General Inquiries: contact@habsy.ai
